W32/Injector.DVFA!tr
Analysis
W32/Injector.DVFA!tr is a generic detection for a Downloader trojan that may download Loki or Pony password stealer. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop the following file:
- %AppData%\[Random]\[Random].exe: This file is a copy of the original malware itself.
- %Startup%\[Random].vbs:This file will serve as an Autostart for the original malware or the copy of the original malware.
- %Temp%\[Random].bat: This file is dropped in %Temp% folder to delete the malware and itself from the host machine after execution.
- This malware may connect to any of the following remote sites(s):
- hxxp://www.schwingsteterindi{Removed}.com/small/five/fre.php
- hxxp://u0462189.cp.regruhostin{Removed}.ru/Private_ftps/ken/fre.php
- hxxp://zinnywend{Removed}.cf/joey/five/fre.php
- hxxp://suplusbles{Removed}.com/9e8eb29207ac/works/fre.php
- hxxp://cronwtyre{Removed}.com/kele/five/fre.php
- hxxp://systernai{Removed}.com/gidi/five/fre.php
- hxxp://suplusbles{Removed}.com/workers/fre.php
- hxxp://dectexl{Removed}.ru/eddy/fred.php
- hxxp://myp0nysit{Removed}.ru/shit.exe
- school-housedirec{Removed}.ga
- hxxp://hillpo{Removed}.ml/matt/coup/shit.exe
- adimm{Removed}.xyz
- hxxp://www.fourwaysgrou{Removed}.com/vsnl/panel/vsnl.exe
- The malware may create the following registry entry to automatically run the dropped copy of itself during the startup:
- HKCU\Software\Microsoft\Windows\Currentversion\Run
- [Random] = "%AppData%\[Random]\[Random].exe"
- It may inject codes into the following process:
- svchost.exe
- The original copy of the malware may also be deleted after execution.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |